Security Bulletin
Summary
There is a classloader manipulation vulnerability in the Apache Struts 1 that is used by IBM WebSphere Application Server, IBM WebSphere Application Server Hypervisor Edition and IBM WebSphere Extended Deployment Compute Grid.
Vulnerability Details
CVEID: CVE-2014-0114
Description: Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. Struts 1 is used by IBM WebSphere Application Server and IBM WebSphere Extended Deployment Compute grid.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92889 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Products and Versions
This problem affects the following versions of the WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition:
· Version 7
· Version 6.1
This is not an issue with Version 8.0 or 8.5 of IBM WebSphere Application Server or IBM WebSphere Application Server Hypervisor Edition:
This problem affects the Modern Batch Feature Pack on WebSphere Application Server Version 7.
This problem also affects the following versions of WebSphere Extended Deployment Compute Grid:
· Version 8 on WebSphere Application Server Version 7 or Version 8
· Version 6.1 on WebSphere Application Server Version 6.1 or Version 7
Remediation/Fixes
The Apache Struts used by the Administrative Console in WebSphere Application Server and batch processing in IBM Compute Grid may be vulnerable to a class loader manipulation. IBM recommends installing recommended fixes as outlined below.
If your Java Web Application is using Apache Struts version 1.x that is available in WebSphere Application Server's optional libraries, you also may be vulnerable. You will need to verify if your application is affected. WebSphere Application Server Version 7.0 deprecated the inclusion of version 1.x of Struts in 2008. We recommend that you upgrade your Struts 1 from Apache to include a version of Struts that has this fixed. Your application should be thoroughly tested to verify that it does not have any issues. Please refer to the Apache site for information and download: Apache Struts Web site. (struts.apache.org) For more information on migrating from Struts 1 to Struts 2, please refer to the Apache Struts Migration Guide at
http://struts.apache.org/docs/migration-guide.html
If this mitigation will not work for you, please contact IBM Support.
Please note: IBM does not plan on shipping any fix for Struts 1.x as the fix is only available at the current levels of Apache Struts which can only be obtained from the Apache Struts website.
Important! IBM is planning on removing and no longer shipping all 4 versions of Struts Version 1.x from the optional Libraries starting in WebSphere Application Server 7.0.0.43, 8.0.0.13, 8.5.5.11 and 9.0.0.1. If you have copied the optional Struts packages to your shared library for your applications to use, you will need to take the following actions prior to moving to 7.0.0.43, 8.0.0.13, 8.5.5.11 or 9.0.0.1.
- Upgrade your applications to use a current level of Struts
- Include a copy of the Struts 1.x package from Apache that contains the fix as part of your ear file development.
FIXES for WebSphere Application Server and batch processing in IBM Compute Grid:
The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. There are 2 separate interim fixes that may need to be applied, links to Fix Central are provided below:
APARs
PI17190 for the Administrative Console
PI17420 for Administering batch jobs in Compute Grid
Fix:Apply a Fix Pack or PTF containing the above APARs, as noted below:
For affected IBM WebSphere Application Server:
For V7.0.0.0 through 7.0.0.31:
- Apply Interim Fix PI17190
- Apply Fix Pack 7.0.0.33 or later.
For V6.1.0.0 through 6.1.0.47:
- Apply Interim Fix PI17190
For affected Modern Batch Feature Pack on WebSphere Application Server Version 7:
For V1.0.0.0 through 1.0.0.5:
For affected IBM WebSphere Application Server Extended Deployment Compute Grid:
For Compute Grid V8.0.0.0 through 8.0.0.3 on WebSphere Application Server Version 8 or WebSphere Application Server Version 7
- Apply Interim Fixes PI17420
- Apply Compute Grid Fix Pack 8.0.0.4 or later.
For Compute Grid V6.1 on WebSphere Application Server Version 6.1 or 7.0:
- Contact IBM Support for the Interim Fix
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
Change History
15 May 2014: Original document published
16 May 2014: Added Modern Batch and Migration Information
28 May 2014: Updated bullet on Apache Struts
18 December 2014: updated broken Apache Struts link
30 June 2016: updated optional library fixpacks
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21672316